Updated: Jan 12, 2018 | 21:09 IST | Mirror Now Digital
A French security researcher hacked into the official Aadhaar app on Android and revealed some serious flaws.
Every day seems to start with a sunrise, a desire to stay bundled up under the blankets and of late, a fresh security concern regarding Aadhaar.
It was just days ago that The Tribune newspaper and its reporter Rachna Khaira exposed the leaks in the system and alleged that one billion numbers were available for a mere Rs. 500. That's not all - if a paltry sum of 300 rupees was paid, the buyer could also get a fresh Aadhaar card made with a number of their choice.
Now, a French security researcher hacked into the official Aadhaar app on Android and revealed some serious flaws.
Indiatimes reports that going by the name of Elliot Alderson, the white hacker drew attention to the fact that mAadhaar (the official Android app for Aadhaar) had poor security standards built in.
"It's super easy to get the password of the local database," he said.
Hi #Aadhaar ! Can we talk about the #BenefitsOfAadhaar for the #India population?
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...
The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123
If true, "123456789" is literally the worst password anyone could keep, especially if they are tasked with protecting the biometric data of the largest democracy in the world.
Read: Multiple official websites of Gujarat state government exhibiting Aadhaar details of beneficiaries
What does this all mean? This is what this white hacker retweeted:
Just so that non-tech people don't understand, this means
1. Any decent tech person can *get* the encrypted Mobile Aadhaar PIN because the "password" is known.
2. All the person needs is to get access to your phone.
3. Your phone gone, Your Aadhaar gone.
1. Any decent tech person can *get* the encrypted Mobile Aadhaar PIN because the "password" is known.
2. All the person needs is to get access to your phone.
3. Your phone gone, Your Aadhaar gone.
That's not all - the user also offered to show UIDAI how to bypass the protection mechanism you set up and run the Aadhaar Android app on a rooted phone. Read the thread below:
1. Hi @UIDAI and @KhoslaLabs ! Let me show you how to bypass the protection mechanism you set up and run the #Aadhaar #Android app on a rooted phone.
This is definitely worrying and hence, the Twitter user leaves a message for us:
Hi #Indian people! Please don't post online your #Aadhaar card. By reading the QR code with a QR code reader app on a #Aadhaar card found on Google images, I obtained the name, gender, birthday, personal address of the card holder.